What makes a great lawyer in a cyber incident response?

This is a key question that I explored during part 2 of our podcast with Professor @Ciaran Martin, a world leading cyber thought leader.

The questions challenged Ciaran but he answered it succinctly as “one do and one don’t”. The best incident leaders loosen control (the “do”), rather than tighten it (the “don't”). A damaging instinct in a crisis (often driven by impractical lawyering) is locking everything down and keeping help out for fear of liability. In practice, faster recovery usually comes from working openly with the broader cyber response community. Most people genuinely want to help.

Here were my other favourite pieces of wisdom shared by Ciaran coming out of the discussion.

1. The “pyramid of liability” has inverted. When something goes wrong, we still reach for the easiest explanation – i.e. “someone clicked the link”. That’s comforting, but it misses the point. Most incidents are really about upstream failures — poor software design, weak procurement choices, and a lack of accountability for vendors and platforms. Blaming frontline users (including our corporates) just ignores the real source.
2. Transparency after an incident doesn’t destroy trust, but builds it. There’s a strong instinct (again, I'm sorry, but often driven by legal) to say as little as possible. But if you actually look at major incidents over time, the organisations that were sensibly open about what happened and what failed didn’t suffer lasting reputational or commercial damage. If anything, they earned goodwill — from regulators, peers and the broader ecosystem. The "what" are questions of fact and are often not protected by privilege anyway.
3. Cyber planning breaks down when it obsesses over data and ignores continuity. There are numerous examples in the healthcare space. Legal duties pushed decision‑makers to prioritise protecting data over keeping life‑saving services running. That’s a structural flaw. In some crises, loss of service is far more harmful than loss of data — yet our frameworks don’t always reflect that.
4. Along this line, operational outages are more dangerous than data breaches — and we’re not ready for them. When ports, airlines or hospitals go down, the economic and social impact is immediate and severe. These aren’t just “bigger data breaches”; they’re a different category of risk altogether. Australia hasn’t yet experienced one at scale, but when it does, the shock will be national. It's certainly my biggest fear.
5. Ransomware only works if we treat threats as credible. Data extortion relies on panic and amplification. Australia’s experience shows that when institutions, media and law enforcement refuse to play along — and don’t amplify stolen data — attackers lose leverage, even if data technically leaks. The economics of the cyber criminal model collapse surprisingly quickly.

There’s loads more in the full podcast (~20 minutes). Definitely worth a save and watching or listening on your commute to/from work. This is cross examining Professor Ciaran Martin – Part 2. Here we go…